-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add activate-credential service to metadata server #4132
Conversation
go-tpm has move the old tpm2 interfaces to "legacy/tpm2", this commit updates tpm2 import paths in pillar to reflect the change and make it possible to use "legacy/tpm2/credactivation" apis. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that you have some zfs build issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The go tests fail at |
working on it. |
// as it contains the type. so make sure the length is greater than 2. | ||
if len(credBlob) < 2 || len(encryptedSecret) < 2 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure the length is greater than 2
but your check is if it is greater or equal than 2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just want to skip the first two bytes, so it should have at least 2 bytes, it is up to ActivateCredential how it wants to handle empty buffer.
Activate credential provides proof that the Endorsement Key (EK) and a signig key (in this case eve created AIK) are owned by the same TPM. This is way to extend the trust from EK (which theoretically comes with OEM certificate) to a arbitrary TPM resident, restricted, signing key. The added service allows to stablish trust to the AIK and sign arbitrary data with it. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
If EvictControl fails, log a warning and continue. This is a non-fatal error and can happen if the handle does not exist in the TPM. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kick off tests
Tests all green but there is one grammar error pointed out by Yetus. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, big thanks from me for writing tests :)
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Activate credential provides proof that the Endorsement Key (EK) and a signing key (in this case eve created AIK) are owned by the same TPM. This is a way to extend the trust from EK (which theoretically comes with OEM certificate) to a arbitrary TPM resident, restricted, signing key. Beside the EK<->AIK proof, this endpoint allows signing arbitrary data with the AIK.
This is part of some primarily work for #4071